Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DynELF outputs a bad warning #989

Closed
TethysSvensson opened this issue May 23, 2017 · 4 comments
Closed

DynELF outputs a bad warning #989

TethysSvensson opened this issue May 23, 2017 · 4 comments
Labels
enhancement Hacktoberfest help-wanted
Milestone
Someday

Comments

@TethysSvensson
Copy link
Contributor

DynELF will sometimes output the warning No ELF provided. Leaking is much faster if you have a copy of the ELF being leaked., even though an ELF was provided. It seems to be because it calls itself recursively.

from pwn import *

r = process('./foo')
ptr = safeeval.const(r.readline().strip()) - 0x201038

def leak(addr):
    size = (addr | 0xfff) + 1 - addr
    r.send(p64(addr) + p64(size))
    data = r.recvn(size)
    return data

dynelf = DynELF(leak, pointer = ptr, elf = ELF('./foo'))
dynelf.lookup('system', 'libc')
// Compile with: gcc -fpie foo.c -o foo
#include <stdio.h>
#include <stdint.h>

uintptr_t ptr;
size_t size;

int main() {
  printf("%p\n", (void*) &ptr);

  while(1) {
    if (fread(&ptr,  sizeof(ptr),  1, stdin) != 1) break;
    if (fread(&size, sizeof(size), 1, stdin) != 1) break;
    if (fwrite((void*) ptr, size, 1, stdout) != 1) break;
    fflush(stdout);
  }
}
[+] Starting local process './foo': pid 12989
[*] '/tmp/wut/foo'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
    FORTIFY:  Enabled
[+] Loading from '/tmp/wut/foo': 0x7fccd4f0c168
[+] Resolving 'system' in 'libc.so': 0x7fccd4f0c168
[!] No ELF provided.  Leaking is much faster if you have a copy of the ELF being leaked.
[*] Trying lookup based on Build ID: d1cefae0e95588b90000be5c2d0ee8d18db5dbfe
[*] Using cached data from '/home/idolf/.pwntools-cache/libcdb/build_id/d1cefae0e95588b90000be5c2d0ee8d18db5dbfe'
[*] Stopped process './foo' (pid 12989)
@zachriggle
Copy link
Member

Yeah, I remember seeing this a while ago. Thanks for filing a bug! I don't look forward to fixing this one :(

@zachriggle zachriggle added this to the Someday milestone Jun 21, 2017
@Arusekk
Copy link
Member

Arusekk commented Jun 9, 2021

This seems to be a warning that the libc ELF is not provided/found on libcdb, not the ELF of the binary itself. Not sure, though.

@heapcrash
Copy link
Collaborator

I think @TethysSvensson's issue was that even if a libc ELF() is directly provided, it still complains about it not being provided.

dynelf = DynELF(leak, pointer = ptr, elf = ELF('./foo'))
dynelf.lookup('system', 'libc')
[!] No ELF provided.  Leaking is much faster if you have a copy of the ELF being leaked.

@Arusekk
Copy link
Member

Arusekk commented Mar 1, 2025

This is only about libc. Works just as expected: libc is never given explicitly. (Local libc should now be tried first since #2325 anyway.)

@Arusekk Arusekk closed this as not planned Won't fix, can't repro, duplicate, stale Mar 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Hacktoberfest help-wanted
Projects
None yet
Milestone
Someday
Development

No branches or pull requests
4 participants
@zachriggle @TethysSvensson @Arusekk @heapcrash